GNOME Bugzilla – Bug 317637
Arbitrary code execution on SVG import
Last modified: 2005-10-08 18:47:46 UTC
Distribution/Version: Debian A Debian user found a possibility to execute arbitrary code on "plain SVG" import. Attached is an exploit and a patch (that still applies to HEAD, just missing a former eval() call, not present anymore). See also http://bugs.debian.org/330890
Created attachment 52880 [details] exploit.svg
Created attachment 52881 [details] [review] dia.patch
Created attachment 53236 [details] [review] A new patch just applied to cvs I didn't like the approach of the previous patch so I've implemented a different solution. Instead of unconditionally replacing possibly perfectly valid chars it restricts the environment eval() is running in. The simple use case for diasvg_import.py is calling one member function on an already existing object. It does not need any __builtins__ like __import__. The exploit at hand is detected and prevented by this fix. But I'm not a security expert so I'd appreciate further review. The relevant ChangeLog entry is : 2005-10-08 Hans Breuer <hans@breuer.org> * plug-ins/python/diasvg_import.py : restrict what eval() can do with strings from svg files. Fixes the arbitrary code execution from bug #317637